Terraform and IAM

5 Aug 2017
4 minute read

Introduction

In my previous post I talked about deploying a Jekyll blog on AWS and I mentioned the possibility to manage the IAM configuration (which I then explained how it can be done via the AWS console) with Terraform. So, let’s have a look.

There is a solid reason why people use the infrastructure-as-code approach. Not only can we keep everything documented and version-controlled, but we can also do all of our management from the comfort of the CLI.

Of course, there are other infrastructure-as-code implementations, such as Puppet, but I personally use Terraform, mainly because of it’s simplicity and capabilities.

If you are new to Terraform I advise you the check it’s documentation and play around with it. It’s definitely worth it.

Note: In this post I will not be talking about setting up and configuring Terraform.

Making the IAM policy

If you want to easily generate an IAM policy you can use the Policy Generator, located in the “Create Policy” section of your IAM dashboard.

We want our deployer to have the following permissions:

Create and manage CloudFront distributions

Create and manage S3 buckets

These options are quite permissive, but if we want to limit them we have to do some parts of the deployment process manually, like:

Creating an S3 bucket

Creating a CloudFront distribution

I’m fine with the deployer having the permissions to create CloudFront distributions and S3 buckets, so for now I’ll allow it to have all permissions for S3 and CloudFront.

You can play around with the policy generator and when you’re ready review your policy. Mine looks like this: